Re: [twsocket] I like to send emails with ssl/01cert.pem but certificate too weak according gmail, any solution?
> What happens if this value is left blank as well -- does it skip > checking validity of CA? Is there any way to have the components > instead use the CA roots that Windows maintains in the > Certificate Store? Yes, the sample OverbyteIcsMsVerify.dpr will Verify a certificate chain using the class TMsCertChainEngine which uses MS crypto API and the Microsoft root store. You need to add extra code to the onSslHandshakeDone event to ignore the OpenSSL result and call the engine instead. All my own client application and ICS components have options for both, look at TMagIpLog at: https://www.magsys.co.uk/delphi/magics.asp which also shows better ways of displaying certificate information from newer ICS versions. > My concern is that installing a > TrustedCABundle.pem file along with an application would lead to > problems with it going stale. Root certificates mostly have a very long life and major new ones are quite rare, although some do go out of favour, like Startcom currently which is closing down. But there are hundreds of root certificates, many small countries want to issue their own, and out bundle does not include many of those. Windows should automatically download missing roots from Windows Update during validation, but this may be slow. Angus -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] I like to send emails with ssl/01cert.pem but certificate too weak according gmail, any solution?
On 12/5/2017 8:58 AM, Angus Robertson - Magenta Systems Ltd wrote: Client SSL applications rarely need to send certificates, so just leave SslCertFile and SslPrivKeyFile blank and everything should work. The confusion here is that the SslContext is used for both client and server applications, and it's not obvious which properties relate only to servers, clients, or both. Worse, most of the samples just offer all the options without explaining which are needed or why. Some background. Angus, thank you so much for taking the time to provide this explanation for SSL client component usage. I recently began migrating quite a few applications that use client components to SSL; and while marveling at how easy you all made it, I do have some questions related to those of the originator of this post. Regarding: Clients do still need Certificate Authority roots to be able to check the server is sending a valid certificate, so leave: SslCAFile := GlobalUserSettings.fCertDir + '\TrustedCABundle.pem'; What happens if this value is left blank as well -- does it skip checking validity of CA? Is there any way to have the components instead use the CA roots that Windows maintains in the Certificate Store? My concern is that installing a TrustedCABundle.pem file along with an application would lead to problems with it going stale. -Jeff -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] I like to send emails with ssl/01cert.pem but certificate too weak according gmail, any solution?
> I_m trying to send email via gmail.com. Which perfectly worked > since a while ago. > but now it seems gmail (I think this is the reason) is rejecting > the 01cert.pem certificate Because the encryption is too weak. Client SSL applications rarely need to send certificates, so just leave SslCertFile and SslPrivKeyFile blank and everything should work. The confusion here is that the SslContext is used for both client and server applications, and it's not obvious which properties relate only to servers, clients, or both. Worse, most of the samples just offer all the options without explaining which are needed or why. Some background. SSL certificates have two purposes, identifying a host and encrypting data. For SSL to work, a certificate and private key are needed to encrypt the data, the certificate is sent to the client and includes the public key so the client can negotiate encryption keys and can decode the data. The only time a client needs a certificate is if it needs to identify itself to a server, mostly when using VPN to access remote networks, sometimes for servers with highly valuable information (like SWIFT international money transfer). It is the server that demands a client certificate, before allowing data to be sent. In your case, newer versions of OpenSSL have higher minimum requirements for certificates, and 01cert.pem is probably very old. Note current ICS release have one dated 2016 which should not give a problem, but is still only required for server samples. Clients do still need Certificate Authority roots to be able to check the server is sending a valid certificate, so leave: SslCAFile := GlobalUserSettings.fCertDir + '\TrustedCABundle.pem'; Angus -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be